b'                            FARM CREDIT ADMINISTRATION\n                            OFFICE OF INSPECTOR GENERAL\n\n                         FEDERAL INFORMATION SECURITY\n                               MANAGEMENT ACT OF 2002\n                                          EVALUATION\n\n                    For the Fiscal Year Ending September 30, 2007\n\n\n\n\n    HARPER, RAINS, KNIGHT & COMPANY, P.A.\nCERTIFIED PUBLIC ACCOUNTANTS & CONSULTANTS\n            RIDGELAND, MISSISSIPPI\n\x0c                                                    FY 2007 FISMA Evaluation\n\n\nTable of Contents\n\nFederal Information Security Management Act Evaluation\n  Executive Summary..................................................................................................................... 1\n  Objective...................................................................................................................................... 2\n  Scope ........................................................................................................................................... 2\n  Methodology................................................................................................................................ 4\n  Results ......................................................................................................................................... 6\n\nAPPENDIX A: OMB M-07-19 Section C \xe2\x80\x93 Reporting Template for IGs ................................... 11\nAPPENDIX B: Acroyms and Abbreviations................................................................................ 16\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.\n\x0c                                 FY 2007 FISMA Evaluation\n\n\n\nExecutive Summary\n\nUnder the Federal Information Security Management Act of 2002 (FISMA), the Farm Credit\nAdministration\'s (FCA or Agency) Chief Information Officer (CIO) and Inspector General (IG)\nare responsible for conducting annual assessments of the Agency\'s information security program\nand reporting the results to the Office of Management and Budget (OMB). Under contract with\nthe FCA\'s Office of Inspector General (OIG), Harper, Rains, Knight & Company, P.A. (HRK)\nperformed an evaluation of the Agency\'s security program and practices, solely to assist the IG\nwith the annual evaluation and reporting to OMB.\n\nThis report includes the objectives, scope, methodology, and results of our evaluation of FCA\'s\ninformation security program. In addition, this report includes the IG reporting template\n(Appendix A) as required by OMB\'s FY 2007 Reporting Instructions for the FISMA in OMB\nMemorandum M-07-19.\n\nOur evaluation included determination of the critical elements which represent tasks that are\nessential for establishing compliance with FISMA, and guidelines issued by OMB, the\nGovernment Accountability Office (GAO), the CIO Council, and the National Institute of\nStandards and Technology (NIST).\n\nWe determined that FCA has an effective information security program. FCA conducted an\nannual self-assessment of the Agency\'s security program, categorized systems based on risk,\napplied a common security configuration, and completed certifications and accreditations on all\nAgency systems. In addition, FCA implemented an Agency-wide security awareness and\ntraining program, tested the Agency\'s continuity of operations plan, and followed a\ncomprehensive incident response program.\n\nWe observed an active, engaged CIO with a cohesive, experienced, and well trained staff, which\nis proactive in their approach to information security and responsive to suggestions made during\nthe FISMA evaluation. We also reviewed the CIO\'s plan to internally develop a Senior Agency\nInformation Security Officer (SAISO) over the next fifteen months which includes requiring the\nSAISO to be a Certified Information Systems Security Professional (CISSP).\n\nOur evaluation did not reveal any information security control matters that we deemed to be\nsignificant deficiencies that must be reported under FISMA.\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                             1\n\x0c                                  FY 2007 FISMA Evaluation\n\n\nObjective\n\nThe objectives of the evaluation were to (1) assist the IG in responding to reporting requirements\nissued under OMB Memorandum M-07-19 and (2) verify and test the Agency\'s overall\ninformation system security program and practices.\n\n\n\nScope\n\nOur evaluation covered FCA\'s Agency-owned and contractor operated information systems of\nrecord as of September 30, 2007. FCA is a single program agency with five mission critical\nsystems. Mission critical systems are defined as any telecommunications or information system\nused or operated by an agency, a contractor of an agency, or an organization on behalf of an\nagency that processes any information, the loss, misuse, disclosure, or unauthorized access to or\nmodification of, would have a debilitating impact on the mission of an agency.\n\nIn accordance with FISMA and OMB\'s implementation guidance, we evaluated the following\nmission critical systems.\n\n1. General Support Systems\n\n   a. Microsoft Windows Operating System (Windows)\n\n       Windows is an operating system, or the core program of a computer, that allows other\n       programs and applications to operate. Windows is fully integrated with networking\n       capabilities and was designed for client/server computing to facilitate user workstation\n       connections to servers and the sharing of information and services among computers.\n       Windows Server is the primary operating system installed on servers in the FCA network.\n       Additionally, Windows is installed on Agency laptop and desktop computers where they\n       function as a client to the FCA network as well as a stand-alone operating system for the\n       client hardware. Through Windows, users can access network services such as file\n       servers, e-mail, the Internet, applications and shared hardware such as printers.\n\n2. Major Applications\n\n   a. Lotus Domino (Notes)\n\n       Lotus Domino (Notes) is a database system software owned and maintained by FCA.\n       The application supports the daily administrative tasks including e-mail, group\n       discussion, calendaring and scheduling, database management, forms, and workflow of\n       FCA.\n\n   b. Consolidated Reporting System (CRS)\n\n       CRS is a relational database containing financial and statistical information on active and\n       inactive Farm Credit Institutions. CRS contains three distinct subsystems that are Call\n       Report, Loan Account Reporting System (LARS), and Web-based CRS Reports:\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                               2\n\x0c                                FY 2007 FISMA Evaluation\n\n\n\n      \xe2\x80\xa2       The Call Report is comprised of financial information including a statement of\n      condition, statement of income, and supporting schedules that is collected quarterly from\n      the System Institutions. The Call Report subsystem is monitored, analyzed, and assessed\n      by FCA examiners and financial analysts to ensure that the integrity and confidentiality\n      of financial data are maintained.\n\n      \xe2\x80\xa2        The LARS database contains specific loans of Farm Credit System lender\n      institutions. Institutions electronically submit the data quarterly through FCA\'s secure\n      Web site. The loan data is verified and validated by FCA personnel.\n\n      \xe2\x80\xa2       The Web-based CRS Reports is an FCA developed application used for making\n      reports available on FCA\'s Web site. The Freedom of Information Act (FOIA) versions\n      of the reports are available to the public. The non-FOIA versions of the reports are only\n      available to authorized users.\n\n   c. Oracle Federal Financials from Bureau of the Public Debt (BPD)\n\n      Oracle Federal Financials supports all FCA core accounting functions including budget\n      execution, accounts payable, disbursements, purchasing, travel, accounts receivable,\n      general ledger, document tracking, project cost accounting, and external reporting.\n\n   d. Personnel/Payroll System (PPS) from National Finance Center (NFC)\n\n      NFC provides core personnel and payroll processing functions, including distributed\n      application and telecommunications support for PPS, to FCA.\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                            3\n\x0c                                  FY 2007 FISMA Evaluation\n\n\nMethodology\n\nHRK conducted this independent evaluation following the requirements found in GAO\'s Federal\nInformation System Controls Audit Manual (FISCAM), OMB Circular A-130, Appendix III,\n"Security of Federal Automated Information Resources," current NIST guidance, and the CIO\nCouncil Framework. We used these criteria to evaluate FCA\'s practices in determining\ncompliance with FISMA.\nOur evaluation was performed from April through September 2007 at FCA\'s headquarters in\nMcLean, Virginia. This evaluation was performed in accordance with Government Auditing\nStandards, issued by the Comptroller General of the United States, for performance audits and\napplicable IS Auditing Standards, issued by the Information Systems Audit and Control\nAssociation (ISACA).\nIn performing this evaluation, we conducted interviews with key personnel, observed daily\nactivities performed by FCA personnel, evaluated and reviewed policies and procedures\nprovided by FCA, and evaluated the C&A and internal network security assessment (INSA)\nperformed by external parties. HRK did not perform technical testing of FCA\'s information\nsystems.\nThe evaluation focused on the actual performance of the Agency\'s security program and\npractices and not on how the Agency measures its performance in its own evaluations. We relied\non the guidelines contained within NIST Special Publication 800-53A for evaluating information\nsystems. Our assessment procedures included identifying the security controls for each system\nand determining whether those controls were implemented correctly, operating as intended, and\nproducing the desired outcome with respect to meeting the security requirements of the system.\nNIST Special Publication 800-53A organizes security control assessment procedures into three\n"classes" of controls (management, operational, and technical). It further divides the three\nclasses of controls into seventeen security control families. For each security control family, we\nmade a summary determination as to the effectiveness of FCA\'s related controls. If the controls\nfor one or more of each category\'s critical elements were found ineffective, then the controls for\nthe entire category are not likely to be effective. We exercised professional judgment in making\nsuch determinations. Below is a summary description of the seventeen security control families\nwe assessed at FCA.\n   \xe2\x80\xa2   Management\n           o Risk assessment \xe2\x80\x93 Controls in place to categorize information systems in\n             accordance with FIPS 199, assess the potential impact of unauthorized access, and\n             update the risk assessment regularly.\n           o Planning \xe2\x80\x93 Controls in place to ensure a security plan is in place and to ensure the\n             plan is readily available, updated regularly, and tested.\n           o System and services acquisition \xe2\x80\x93 Controls in place to allocate resources during\n             capital budgeting, using a system development life cycle, and to implement the\n             information system using security engineering principles.\n           o Certification, accreditation, and security assessments \xe2\x80\x93 Controls in place to certify\n             and accredit information systems and interconnected systems, perform continuous\n             monitoring, and develop and update the plan of action and milestones (POA&M).\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                               4\n\x0c                                 FY 2007 FISMA Evaluation\n\n   \xe2\x80\xa2   Operational\n          o Personnel security \xe2\x80\x93 Controls in place for employee screening, handling of\n            terminated employees, and compliance failure sanctions.\n          o Physical and environmental protection \xe2\x80\x93 Controls in place for physical access to\n            the building and information systems, visitor access, and preventative measures\n            for physical damage to information systems components.\n          o Contingency planning \xe2\x80\x93 Controls in place for planning, training, testing, and\n            reviewing all contingency plans as well as providing alternative storage and\n            processing sites.\n          o Configuration management \xe2\x80\x93 Controls in place to document configuration\n            information, monitor changes, and restrict access to information systems.\n          o Maintenance \xe2\x80\x93 Controls in place to control remote diagnostic activities, restrict\n            personnel allowed to perform maintenance, keep maintenance contracts, and have\n            spare parts on hand.\n          o System and information integrity \xe2\x80\x93 Controls in place to correct system flaws,\n            monitor systems events, and protect against unauthorized changes.\n          o Media protection \xe2\x80\x93 Controls in place to ensure only authorized personnel have\n            access to sensitive media, appropriately mark and store media, and sanitize media\n            when it is no longer needed.\n          o Incident response \xe2\x80\x93 Controls and procedures in place to train personnel in their\n            roles, test response capability, detect incidents, and appropriately handle, monitor,\n            and document incidents.\n          o Awareness and training \xe2\x80\x93 Controls in place to implement security awareness and\n            training for all employees including contractors, monitor training, and stay up to\n            date with current technology and security practices.\n   \xe2\x80\xa2   Technical\n          o Identification and authentication \xe2\x80\x93 Controls in place to identify and authenticate\n            users of information systems, authenticate devices on information system\n            networks, and manage users of information systems.\n          o Access control \xe2\x80\x93 Controls that limit and/or monitor access to computer resources\n            (data, programs, equipment, and facilities) to protect against unauthorized\n            modification, loss, and disclosure.\n          o Audit and accountability \xe2\x80\x93 Controls in place to identify auditable events, generate\n            and review audit logs, and protect audit data and reports.\n          o System and communications protection \xe2\x80\x93 Controls in place to separate user\n            functionality from information system management functionality, protect against\n            Internet attacks, and establish trusted communication paths between the user and\n            the system.\nThe results were formally communicated to the CIO and responsible personnel from the\nTechnology Team on September 13th. On September 17th we held a follow-up meeting with the\nCIO and key personnel from the Technology Team to discuss the OMB M-07-19 IG Reporting\nTemplate. We continued discussions via phone and email through September 25th, when we held\nan exit conference with the IG, the CIO, and their respective key personnel.\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                              5\n\x0c                                  FY 2007 FISMA Evaluation\n\n\nResults\n\nOur procedures did not reveal any information system security control matters that we deemed to\nbe significant deficiencies that must be reported under FISMA. Below you will find a summary\nof our observations from each of the security control families.\n\nRisk assessment\n\nFCA has controls in place to categorize information systems in accordance with FIPS 199, assess\nthe potential impact of unauthorized access, and update the risk assessment, at least annually.\nFCA has policies and procedures in place and they are periodically reviewed. FCA categorizes\ninformation systems in accordance with FIPS 199. During fiscal year 2007, FCA lowered its\nFIPS 199 risk ranking from high to moderate for the general support system and CRS. We\nconcur with these risk rankings. FCA conducts annual risk assessments of their information\nsystems. FCA has a Continuity of Operations Plan (COOP) in place and it is reviewed annually.\nFCA has a system in place to track general security notifications and assess potential impact.\nWhile FCA has an Information Security Officer (ISO) that performs daily information security\nactivities, the CIO has been acting as the SAISO. FCA has developed a plan that requires the\nISO to obtain certification as a CISSP and take appropriate security training over the next fifteen\nmonths before being considered for the SAISO position.\n\nPlanning\n\nFCA has controls to ensure a security plan is in place and to ensure the plan is readily available,\nupdated regularly, and tested. FCA has policies and procedures in place and they are periodically\nreviewed. FCA has incorporated its security plans into the COOP plan. The security plans are\nreviewed annually and revised when appropriate. FCA provides training to employees on the\nexpectations of using their information systems. FCA tests the impact of changes prior to\nimplementing changes on their information systems.\n\nSystem and services acquisition\n\nFCA has controls in place to allocate resources during capital budgeting, use a system\ndevelopment life cycle, and implement the information system using security engineering\nprinciples, where applicable. FCA has policies and procedures in place and they are periodically\nreviewed. The Information Resources Management (IRM) plan outlines and budgets for future\ninformation technology needs. FCA applies a system development life cycle to their information\nsystems, and security is considered during FCA\'s information system planning and acquisition\nprocess. FCA tracks licenses and installations to comply with software usage restrictions. FCA\ndoes not allow software to be downloaded and installed unless it is supplied by FCA or approved\non an individual basis. FCA designs and implements information systems using security\nengineering principles.\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                                6\n\x0c                                  FY 2007 FISMA Evaluation\n\n\nCertification, accreditation, and security assessments\n\nFCA has controls in place to certify and accredit information systems and interconnected\nsystems, perform continuous monitoring, and develop and update the POA&M. FCA has\npolicies and procedures in place and they are periodically reviewed. FCA conducts assessments\nof security controls in information systems annually to determine the extent to which controls are\nimplemented correctly, operating as intended, and producing the desired outcome. FCA\nauthorizes all interconnections to other information systems outside the accreditation boundary\nand monitors/controls the information system interconnections on an ongoing basis. FCA has a\nprocess to develop, update, and report POA&Ms as required by OMB. FCA has a policy and\nperforms C&As on its information systems every three years or when significant information\nsystem changes occur. FCA plans to require the system owners to sign-off on the C&A and\nauthorization to operate (ATO) documents beginning in FY 2008.\n\nPersonnel Security\n\nFCA has controls in place for employee screening, handling of terminated employees, and\ncompliance failure sanctions. FCA has policies and procedures in place and they are periodically\nreviewed. Each FCA Position Description (PD) has a "Position Sensitivity" indicator. FCA\nemployees are not granted access to information systems without a sponsor\'s approval. When an\nemployee is terminated, quits, or retires, FCA requires the individual to complete a separation\nchecklist. FCA requires new hires and contractors to sign FCA\'s Computer Security Program\nEmployee Certification which declares they have read FCA\'s Computer Security Program policy.\n\nPhysical and environmental protection\n\nFCA has controls in place limiting physical access to the building and information systems,\nmonitoring visitor access, and preventing physical damage to information systems components.\nFCA has policies and procedures in place and they are periodically reviewed. FCA issues\nidentification badges to all personnel, including contractors. FCA controls all entry points via\neither guarded entry or Kastle Key access. A visitor access log is maintained at the front desk.\nFCA\'s information system distribution and transmission lines are run through the secured\ncomputer room. All visitors must be escorted in to the computer room by an FCA employee, and\na visitor log is maintained for the computer room. FCA maintains an uninterruptible power\nsupply for the secured computer room, and FCA implements redundant heating, ventilation, and\nair conditioning (HVAC) units in the controlled computer room to control the temperature. FCA\nkeeps track of computers through the Property Management Tracking System (PMTS).\n\nThe Technology Team offices are located on a high traffic common floor with non-FCA tenants\nand the building\'s cafeteria. We observed the side-entrance doors to the offices were closed and\nlocked. We found the door at the main entrance to the offices was open during work hours.\nHowever, we noted all entrance doors were clearly marked "FCA Personnel Only." We\nobserved the nightly cleaning crew unlock and open all doors in the offices when on-site. The\nguards periodically check and secure the doors after the cleaning crew has left the premises. The\nCIO has plans to use the Fairfax County Police Department to assist FCA with addressing the\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                               7\n\x0c                                  FY 2007 FISMA Evaluation\n\nconcerns identified with the nightly cleaning crew and appropriately securing doors to sensitive\nFCA office space as well as other physical security issues.\n\nContingency planning\n\nFCA has controls in place for planning, training, testing, and reviewing all contingency plans as\nwell as providing alternative storage and processing sites. FCA has policies and procedures in\nplace and they are periodically reviewed. FCA personnel have been trained as to their\nresponsibilities in the event of an emergency and the COOP has been regularly tested via the\nContinuity of Government Condition (COGCON) exercises. The COOP is reviewed annually\nand updated as required. FCA has an emergency operations center that serves as its alternate\nprocessing site and provides the resumption of information system operations for mission critical\nfunctions when the primary processing capabilities are unavailable. FCA runs backups of user\nand systems information daily (incremental) and weekly (full).\n\nConfiguration management\n\nFCA has controls in place to document configuration information, monitor changes, and restrict\naccess to information systems. FCA has policies and procedures in place and they are\nperiodically reviewed. Information system changes are tested and monitored after being placed\nin production. FCA has established configuration settings for information technology, set default\naccess as none, and enforces configuration settings in all components of the information system.\nFCA has adopted a standard configuration policy that incorporates the intent of the NIST\nbaseline security configurations. In addition, FCA plans to adopt the NIST baseline security\nconfigurations with all new technology implemented as well as document any deviations from\nthe NIST security configurations on all systems.\n\nMaintenance\n\nFCA has controls in place to control remote diagnostic activities, restrict personnel allowed to\nperform maintenance, keep maintenance contracts, and have spare parts on hand. FCA has\npolicies and procedures in place and they are periodically reviewed. FCA runs Hewlett Packard\n(HP)/Compaq Insight System Manager, which monitors the health of servers and reports on\nproblems via email. FCA controls and monitors maintenance on FCA laptops. FCA has a\ncontract with a four hour response time to repair the servers.\n\nSystem and information integrity\n\nFCA has controls in place to correct system flaws, monitor system events, and protect against\nunauthorized changes. FCA has policies and procedures in place and they are periodically\nreviewed. FCA has virus protection software installed and it updates automatically. FCA\ncontinuously monitors the information systems to detect attacks and prevent unauthorized use.\nFCA participates in the United States Computer Emergency Readiness Team (US-CERT)\nprogram. FCA restricts which personnel can make changes to the information systems. FCA\napplications have edit checks built in to ensure data integrity.\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                              8\n\x0c                                  FY 2007 FISMA Evaluation\n\n\nMedia protection\n\nFCA has controls in place to ensure only authorized personnel have access to sensitive media,\nappropriately mark and store media, and sanitize media when it is no longer needed. FCA has\npolicies and procedures in place and they are periodically reviewed. FCA restricts user access to\ndrives and applications. FCA labels do not indicate what is stored on the media and back up\ntapes are stored in a safe. However, we found system media is bar coded so that appropriate\npersonnel can identify what is contained on each tape. FCA controls the system media and\nrestricts the pickup, receipt, transfer, and delivery of such media to authorized personnel.\n\nIncident response\n\nFCA has controls and procedures in place to train personnel in their incident response roles, test\ntheir response capability, and actively monitor, respond, and document incidents. FCA\nperiodically reviews and updates policies and procedures. FCA trains their employees to respond\nto incidents. FCA continually monitors for intrusions and documents and investigates unusual\nactivity. We found during the current year FCA significantly enhanced their incident response\nhandling capabilities.\n\nAwareness and training\n\nFCA has controls in place to implement security awareness and training for all employees\nincluding contractors, monitor training, and stay up to date with current technology and security\npractices. FCA has policies and procedures in place and they are periodically reviewed. FCA\nrequires all employees complete an annual information technology security awareness training,\nand FCA performs additional security awareness activities through FCA newsletter and News\nFlash emails.\n\nIdentification and authentication\n\nFCA has controls in place to identify and authenticate users of information systems, authenticate\ndevices on information system networks, and manage users of information systems. FCA has\npolicies and procedures in place and they are periodically reviewed. FCA users must be\nauthenticated before accessing any resource. The encryption used on the Web site to access FCA\ninformation, Secure Socket Layer (SSL), meets federal standards.\n\nAccess control\n\nFCA has controls that limit and monitor access to computer resources to protect against\nunauthorized modification, loss, and disclosure. FCA has policies and procedures in place and\nthey are periodically reviewed. FCA deactivates accounts after a defined period of inactivity and\npasswords must be changed periodically. FCA uses least privilege access. FCA enforces\nsegregation of duties through assigned authorization. FCA locks computers after three\nconsecutive unsuccessful login attempts. FCA does not permit employees to use personally\nowned equipment to access the FCA network. Although FCA does not continuously monitor\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                               9\n\x0c                                  FY 2007 FISMA Evaluation\n\nthose with administrative privileges to FCA\'s information systems, FCA has compensating\ncontrols that mitigate risks to systems.\n\nAudit and accountability\n\nFCA has controls in place to identify auditable events and generate, review, and protect audit\ndata and reports. FCA has policies and procedures in place and they are periodically reviewed.\nFCA information systems generate and store logs which provide an audit trail. FCA is notified\nvia email of suspicious events in addition to the event being recorded in the log. FCA has the\nability to produce audit trail reports from the firewall and intrusion detection system. FCA\'s\nevent/audit logs include time stamps. FCA audit log information is restricted to the information\ntechnology personnel.\n\nSystem and communications protection\n\nFCA has controls in place to separate user functionality from information systems management\nfunctionality, protect against Internet attacks, and establish trusted communication paths between\nthe user and the system. FCA has policies and procedures in place and they are periodically\nreviewed. FCA separates information system user functionality from information system\nmanagement functionality. FCA has controls in place to limit the effects of common attacks,\nincluding denial of service attacks. FCA has controls in place to ensure high priority processes,\nsuch as virus scans, have access to needed resources. FCA information is transmitted by secure\nmeans such as SSL when appropriate. FCA terminates remote connections after 30 minutes of\ninactivity. FCA separates FOIA information from private information on the Web site.\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                              10\n\x0c                                                            FY 2007 FISMA Evaluation\n\n\nAPPENDIX A\n\nOMB FISMA Reporting Template\n                                                   Section C - Inspector General: Questions 1 and 2\nAgency Name:                 Farm Credit Administration                                                           Submission date:                1-Oct-07\n                                                               Question 1: FISMA Systems Inventory\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other organization\non behalf of an agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS 199\nsystem impact level (high, moderate, low, or not categorized). Extend the worksheet onto subsequent pages if necessary to include all\nComponent/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a\ncontractor of an agency or other organization on behalf of an agency. The total number of systems shall include both agency systems and contractor systems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency;\ntherefore, self reporting by contractors does not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider, may\nbe sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n\n                             Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and\npercentage of systems which have: a current certification and accreditation, security controls tested and reviewed within the past year, and a contingency\nplan tested in accordance with policy.\n\n                                                                           Question 1                                                      Question 2\n                                                        a.                     b.                  c.                    a.                      b.                c.\n                                                  Agency Systems       Contractor Systems   Total Number of          Number of              Number of          Number of\n                                                                                               Systems            systems certified     systems for which systems for which\n                                                                                             (Agency and           and accredited        security controls contingency plans\n                                                                                              Contractor                                 have been tested have been tested\n                                                                                               systems)                                   and reviewed in in accordance with\n                                                                                                                                           the past year         policy\n\n\n                                                                                                       Total\n                             FIPS 199 System                 Number          Number   Total                        Total     Percent     Total    Percent     Total   Percent\nBureau Name                                      Number              Number                           Number\n                             Impact Level                   Reviewed        Reviewed Number                       Number     of Total   Number    of Total   Number   of Total\n                                                                                                     Reviewed\nFarm Credit Administration   High                                                                0            0\n                             Moderate                   3          3          2         2        5            5         5      100%           5     100%          5     100%\n                             Low                                                                 0            0\n                             Not Categorized                                                     0            0\n                             Sub-total                  3          3          2         2        5            5          5     100%           5     100%          5     100%\nN/A                          High                                                                0            0\n                             Moderate                                                            0            0\n                             Low                                                                 0            0\n                             Not Categorized                                                     0            0\n                             Sub-total                  0          0          0         0        0            0          0                    0                   0\nN/A                          High                                                                0            0\n                             Moderate                                                            0            0\n                             Low                                                                 0            0\n                             Not Categorized                                                     0            0\n                             Sub-total                  0          0          0         0        0            0          0                    0                   0\nN/A                          High                                                                0            0\n                             Moderate                                                            0            0\n                             Low                                                                 0            0\n                             Not Categorized                                                     0            0\n                             Sub-total                  0          0          0         0        0            0          0                    0                   0\nN/A                          High                                                                0            0\n                             Moderate                                                            0            0\n                             Low                                                                 0            0\n                             Not Categorized                                                     0            0\n                             Sub-total                  0          0          0         0        0            0          0                    0                   0\nN/A                          High                                                                0            0\n                             Moderate                                                            0            0\n                             Low                                                                 0            0\n                             Not Categorized                                                     0            0\n                             Sub-total                  0          0          0         0        0            0          0                    0                   0\nAgency Totals                High                       0          0          0         0        0            0          0                    0                   0\n                             Moderate                   3          3          2         2        5            5          5     100%           5     100%          5     100%\n                             Low                        0          0          0         0        0            0          0                    0                   0\n                             Not Categorized            0          0          0         0        0            0          0                    0                   0\n                             Total                      3          3          2         2        5            5          5     100%           5     100%          5     100%\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                                                                                                         11\n\x0c                                                FY 2007 FISMA Evaluation\n\n\n                                             Section C - Inspector General: Question 3\nAgency Name:   Farm Credit Administration\n               Question 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\n\n      3.a.     The agency performs oversight and evaluation to ensure information systems used or operated by a\n               contractor of the agency or other organization on behalf of the agency meet the requirements of\n               FISMA, OMB policy and NIST guidelines, national security policy, and agency policy.\n\n               Agencies are responsible for ensuring the security of information systems used by a contractor of their\n               agency or other organization on behalf of their agency; therefore, self reporting by contractors does not meet\n               the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider,\n                                                                                                                              Almost Always (96-100% of\n               may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n                                                                                                                              the time)\n               Response Categories:\n                - Rarely- for example, approximately 0-50% of the time\n                - Sometimes- for example, approximately 51-70% of the time\n                - Frequently- for example, approximately 71-80% of the time\n                - Mostly- for example, approximately 81-95% of the time\n                - Almost Always- for example, approximately 96-100% of the time\n\n               The agency has developed a complete inventory of major information systems (including major\n      3.b.     national security systems) operated by or under the control of such agency, including an\n               identification of the interfaces between each such system and all other systems or networks,\n               including those not operated by or under the control of the agency.\n                                                                                                                            Inventory is 96-100%\n               Response Categories:                                                                                         complete\n                - The inventory is approximately 0-50% complete\n                - The inventory is approximately 51-70% complete\n                - The inventory is approximately 71-80% complete\n                - The inventory is approximately 81-95% complete\n                - The inventory is approximately 96-100% complete\n\n      3.c.     The IG generally agrees with the CIO on the number of agency-owned systems. Yes or No.                                  Yes\n\n               The IG generally agrees with the CIO on the number of information systems used or operated by a\n      3.d.                                                                                                                             Yes\n               contractor of the agency or other organization on behalf of the agency. Yes or No.\n\n      3.e.     The agency inventory is maintained and updated at least annually. Yes or No.                                            Yes\n\n               If the Agency IG does not evaluate the Agency\'s inventory as 96-100% complete, please identify the known missing systems by\n      3.f.     Component/Bureau, the Unique Project Identifier (UPI) associated with the system as presented in your FY2008 Exhibit 53 (if\n               known), and indicate if the system is an agency or contractor system.\n\n                                                                                                                               Agency or\n                                                                                                Exhibit 53 Unique Project\n                         Component/Bureau                           System Name                                                Contractor\n                                                                                                     Identifier (UPI)\n                                                                                                                                system?\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                                                                                   12\n\x0c                                                         FY 2007 FISMA Evaluation\n\n\n                                                Section C - Inspector General: Questions 4 and 5\nAgency Name: Farm Credit Administration\n                                   Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\nAssess whether the agency has developed, implemented, and is managing an agency-wide plan of action and milestones (POA&M) process.\nEvaluate the degree to which each statement reflects the status in your agency by choosing from the responses provided. If appropriate or\nnecessary, include comments in the area provided.\n\nFor each statement in items 4.a. through 4.f., select the response category that best reflects the agency\'s status.\n\nResponse Categories:\n - Rarely- for example, approximately 0-50% of the time\n - Sometimes- for example, approximately 51-70% of the time\n - Frequently- for example, approximately 71-80% of the time\n - Mostly- for example, approximately 81-95% of the time\n - Almost Always- for example, approximately 96-100% of the time\n                  The POA&M is an agency-wide process, incorporating all known IT security weaknesses\n       4.a.       associated with information systems used or operated by the agency or by a contractor of the       Almost Always (96-100% of the time)\n                  agency or other organization on behalf of the agency.\n                  When an IT security weakness is identified, program officials (including CIOs, if they own or\n       4.b.                                                                                                          Almost Always (96-100% of the time)\n                  operate a system) develop, implement, and manage POA&Ms for their system(s).\n                  Program officials and contractors report their progress on security weakness remediation to the\n       4.c.                                                                                                       Almost Always (96-100% of the time)\n                  CIO on a regular basis (at least quarterly).\n                  Agency CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly\n       4.d.                                                                                                          Almost Always (96-100% of the time)\n                  basis.\n\n       4.e.       IG findings are incorporated into the POA&M process.                                               Almost Always (96-100% of the time)\n\n                  POA&M process prioritizes IT security weaknesses to help ensure significant IT security\n       4.f.                                                                                                          Almost Always (96-100% of the time)\n                  weaknesses are addressed in a timely manner and receive appropriate resources.\n                  FCA does not have any outstanding POA&M items as of September 14, 2007.\n\n\n\n\n                                        Question 5: IG Assessment of the Certification and Accreditation Process\nProvide a qualitative assessment of the agency\'s certification and accreditation process, including adherence to existing policy, guidance, and\nstandards. Provide narrative comments as appropriate.\n\nAgencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems" (May 2004) for\ncertification and accreditation work initiated after May 2004. This includes use of the FIPS 199, "Standards for Security Categorization of Federal Information\nand Information Systems" (February 2004) to determine a system impact level, as well as associated NIST document used as guidance for completing risk\nassessments and security plans.\n\n                  The IG rates the overall quality of the Agency\'s certification and accreditation process as:\n\n                  Response Categories:\n                   - Excellent\n       5.a.                                                                                                          Good\n                   - Good\n                   - Satisfactory\n                   - Poor\n                   - Failing\n\n                  The IG\'s quality rating included or considered the following aspects of the C&A process: Security plan                 X\n                  (check all that apply)\n                                                                                                           System impact level           X\n                                                                                                           System test and evaluation    X\n                                                                                                           Security control testing      X\n       5.b.\n                                                                                                           Incident handling             X\n                                                                                                           Security awareness training   X\n                                                                                                           Configurations/patching       X\n                                                                                                           Other:\n                  C&A process comments: FCA has completed its first three-year cycle for the C&A process, including completing C&As on all\n                  agency systems, however, this process is in its infancy and must become an established, reoccurring process within the\n                  agency.\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                                                                                             13\n\x0c                                                        FY 2007 FISMA Evaluation\n\n\n                                               Section C - Inspector General: Questions 6 and 7\nAgency Name:\n                       Question 6: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process\n\n               Provide a qualitative assessment of the agency\'s Privacy Impact Assessment (PIA)\n    6.a.\n               process, as discussed in Section D II.4 (SAOP reporting template), including adherence\n               to existing policy, guidance, and standards.\n\n               Response Categories:\n                - Response Categories:\n                - Excellent\n                - Good\n                - Satisfactory\n                - Poor\n                - Failing\n               Comments: FCA has a process in place, which includes the involvement of the Office of General Council and the SAOP, to\n               determine if a PIA is necessary. To date FCA has not been required to complete a PIA.\n\n\n\n\n               Provide a qualitative assessment of the agency\'s progress to date in implementing the\n    6.b.       provisions of M-06-15, "Safeguarding Personally Identifiable Information" since the most\n               recent self-review, including the agency\'s policies and processes, and the administrative,\n               technical, and physical means used to control and protect personally identifiable\n               information (PII).\n\n               Response Categories:                                                                               Excellent\n                - Response Categories:\n                - Excellent\n                - Good\n                - Satisfactory\n                - Poor\n                - Failing\n               Comments: Excluding FCA Employee Data, FCA does not store PII on FCA systems of record. FCA has policies and\n               procedures in place to reduce risk when FCA examiners obtain PII ad hoc.\n\n\n\n\n                                                          Question 7: Configuration Management\n\n               Is there an agency-wide security configuration policy? Yes or No.                                                    Yes\n    7.a.\n               Comments: FCA has adopted a standard configuration policy that incorporates the intent of the NIST baseline security configurations. FCA\n               has plans to adopt the NIST baseline security configurations with all new technology implemented and document any deviations from the\n               NIST security configurations on all systems.\n\n               Approximate the extent to which applicable information systems apply common security\n    7.b.       configurations established by NIST.\n\n               Response categories:\n                -   Rarely- for example, approximately 0-50% of the time\n                                                                                                                Almost Always (96-100% of the time)\n                -   Sometimes- for example, approximately 51-70% of the time\n                -   Frequently- for example, approximately 71-80% of the time\n                -   Mostly- for example, approximately 81-95% of the time\n                -   Almost Always- for example, approximately 96-100% of the time\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                                                                                         14\n\x0c                                                     FY 2007 FISMA Evaluation\n\n\n                                        Section C - Inspector General: Questions 8, 9, 10 and 11\nAgency Name:\n                                                           Question 8: Incident Reporting\nIndicate whether or not the agency follows documented policies and procedures for reporting incidents internally, to US-CERT, and to law\nenforcement. If appropriate or necessary, include comments in the area provided below.\n\n                 The agency follows documented policies and procedures for identifying and reporting\n      8.a.                                                                                                                  Yes\n                 incidents internally. Yes or No.\n                 The agency follows documented policies and procedures for external reporting to US-\n      8.b.                                                                                                                  Yes\n                 CERT. Yes or No. (http://www.us-cert.gov)\n                 The agency follows documented policies and procedures for reporting to law\n      8.c.                                                                                                                  Yes\n                 enforcement. Yes or No.\n                 Comments:\n\n\n\n\n                                                      Question 9: Security Awareness Training\nHas the agency ensured security awareness training of all employees, including contractors and those\nemployees with significant IT security responsibilities?\n\nResponse Categories:\n - Rarely- or approximately 0-50% of employees                                                            Almost Always (96-100% of employees)\n - Sometimes- or approximately 51-70% of employees\n - Frequently- or approximately 71-80% of employees\n - Mostly- or approximately 81-95% of employees\n - Almost Always- or approximately 96-100% of employees\n                                                       Question 10: Peer-to-Peer File Sharing\nDoes the agency explain policies regarding peer-to-peer file sharing in IT security awareness training,\n                                                                                                                            Yes\nethics training, or any other agency wide training? Yes or No.\n                                                  Question 11: E-Authentication Risk Assessments\nThe agency has completed system e-authentication risk assessments. Yes or No.                                               Yes\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                                                                                                15\n\x0c                               FY 2007 FISMA Evaluation\n\n\nAPPENDIX B\n\nAcronyms and Abbreviations\nATO          Authorization to Operate\nBPD          Bureau of Public Debt\nC&A          Certification and Accreditation\nCIO          Chief Information Officer\nCISSP        Certified Information Systems Security Professional\nCOGCON       Continuity of Government Condition\nCOOP         Continuity of Operations Plan\nCRS          Consolidated Reporting System\nFCA/Agency   Farm Credit Administration\nFIPS         Federal Information Processing Standards\nFISCAM       Federal Information System Controls Audit Manual\nFISMA        Federal Information Security Management Act of 2002\nFOIA         Freedom of Information Act\nFY           Fiscal Year\nGAO          Government Accountability Office\nHRK          Harper, Rains, Knight & Company, P.A.\nHP           Hewlett Packard\nHVAC         Heating Ventilating and Air Conditioning\nIG           Inspector General\nINSA         Internal Network Security Assessment\nIRM          Information Resource Management\nISO          Information Security Officer\nLARS         Loan Account Reporting System\nNFC          National Finance Center\nNIST         National Institute of Standards and Technology\nOIG          Office of the Inspector General\nOMB          Office of Management and Budget\nOMS          Office of Management Services\nPD           Position Description\nPMTS         Property Management Tracking System\nPOA&M        Plan of Action and Milestones\nPPS          Personnel/Payroll System\nSAISO        Senior Agency Information Security Officer\nSSL          Secure Socket Layer\nSystem       Farm Credit System\nUS-CERT      United States Computer Emergency Readiness Team\nWindows      Microsoft Windows Operating System\n\n\n\n\nPrepared by Harper, Rains, Knight & Company, P.A.                  16\n\x0c'